Defence

Many of the world’s armed forces are increasingly taking cybersecurity seriously, not least of all Germany. Lucy Ingham hears from Dr Gabi DreoRodosek, director of the cybersecurity research centre CODE, located at the University of Federal Armed Forces Munich, about the challenges that lie ahead

For the world of defence, digital is surely the newest battleground. Cybersecurity, once a fringe area with little military support, has now become a major concern, enjoying significant investment as online attacks are increasingly producing offline problems.

While some countries have been slow to establish themselves as key players in military cybersecurity, Germany has recently ramped up its investment, with a slew of institutions dedicated to improving the nation’s cyber defence capabilities.

One of these, based at the Universität der Bundeswehr München, or University of Federal Armed Forces Munich, is CODE, a dedicated cybersecurity research centre that looks set to become the leading institution of its type in the country.

Building off a research institution first established in 2013, CODE was initially announced in 2016 as part of a slew of plans for Germany’s ongoing cybersecurity strategy, and formally opened in July of this year with the appointment of 11 new senior research positions as well as supporting staff and junior researchers. The recipient of an undisclosed investment in the tens of millions, in 2021 the centre will even see the opening of a dedicated building on the campus, equipped with state-of-the art cybersecurity labs and sophisticated technologies to support the researchers’ efforts.

“We need to develop capabilities in cyber defence, and so the Ministry of Defence established the cyber cluster at the university,” summarises Dr Gabi Dreo Rodosek, director of CODE and chair of communication systems and network security at Universität der Bundeswehr München.

However, this is not just about the military. Cyber attacks generally impact far more than just defence organisations, and so CODE is working across civil, military and industry to further Germany’s cybersecurity capabilities.

“CODE as an institute now is to combine everything about security: civil security, military security, research and, of course, industry, because everybody has to work together,” says Dreo Rodosek.

The many sides of cybersecurity: CODE’s five research pillars

In its mission to cover such a vast platform of cybersecurity, CODE has five pillars of research upon which it is focusing, with a view to producing demonstrators: actionable research that can be made first into prototypes and then commercial products.

“What we want here is really to build everything together in terms of the value chain,” explains Dreo Rodosek. “So we want to make clear that what we are developing is demonstrators, but then also to fill the gap to the product; so to prototype and then afterwards the industry will make products out of it.”

As a result of this focus, the five pillars not only include core cybersecurity efforts, but many of the real-world technologies that can be involved in attacks.

“What we are developing is demonstrators, but then also to fill the gap to the product.”

While the first pillar concerns conventional cyber defence, summarised by Dreo Rodosek as “everything in connected networks, social networks, intrusion detection, new technologies like software-defined networking, analysis and penetration testing [and] security and digital identities”, the second focuses on smart data, including its acquisition and analysis.

The others consist of mobile security, such as “connected cars, connected planes”, e-health, summarised as “everything that's involved in the digitalisation of hospitals”, and critical infrastructure, including smart energy supplies, banking and insurance.

However, while there are a host of research opportunities around these areas, which should in time lead to real-world products that actively improve cybersecurity, there are also a host of issues that affect all areas of CODE’s research.

Advanced persistent threats: the unseen challenge

One of the biggest concerns in cybersecurity – and a strong future focus for CODE – is advanced persistent threats, or APTs. Sometimes also referred to as smart attacks, these are threats that are new and so not easily detectable.

“They are targeted, so to a specific person, a specific address; new, not yet known; complex, which means to address several vulnerabilities and several attack vectors; persistent, so they are in your systems and you don’t know it and of course very difficult to detect,” explains Dreo Rodosek.

“APTs will be a strong focus of CODE, as they require considerable and constant research to tackle.”

Such APTs will be a strong focus of CODE, as they require considerable and constant research to tackle. However, being unknown, they can also be immensely challenging to undertake research into.

Having specialised in APTs for much of her career, Dreo Rodosek believes a strong focus should be on anomaly detection – the identification of unexpected or out of place behaviours in the network – however this comes with its own challenges.

“The point is the most harm [comes from] what I don't know, so how do I do detect what I don't know? Well it is of course to detect anomalies, and the point here is what is normal behaviour and what is not normal behaviour? How do I identify this?” she asks.

Automated responses: the cybersecurity holy grail

Eventually, it is hoped that many APTs will be handled with automated systems that will identify and automatically stop attacks as they are in progress.

Such “automated cyber defence” will, according to Dreo Rodosek, involve building “learning systems using machine learning to automate the detection, the identification, what the problem is, what the attack vector is, and to make automated mitigation.”

It's a tool that CODE hopes to develop, but it will require the creation of sophisticated artificial intelligence that is able to accurately identify attacks, diagnose their methods and automatically stop them from doing damage.

“This is a new challenging issue for research. We have some parts already, which can be used by the whole picture, from automated detection and automated mitigation.”

However, such a tool is still some way away, and remains something of a holy grail within the cybersecurity industry.

“This is a new challenging issue for research. We have some parts already, which can be used by the whole picture, from automated detection and automated mitigation,” explains Dreo Rodosek, adding that such automatic systems were still “two or three years” away.

And with automated systems, it would be imperative to ensure that any mitigation of an in-progress attack didn’t come at the expense of blameless third parties, such as those whose computers had unwittingly been co-opted into forming part of a botnet – a vast network of systems being controlled to perform attacks by hackers.

“Let's say I'm blocking a denial of service attack to my web server, and I'm doing something like mirroring, to mirror, to track it back,” explains Dreo Rodosek, referring to a common method used by network security experts, “I could attack someone completely innocent because the server was overtaken by a botnet.”

Protecting critical infrastructure: the continuous arms race

While automated systems remain a few years away, here and now CODE is directly involved in the development of solutions to a more pressing problem: attacks on critical infrastructure, such as power grids and banking systems.

Successful attacks on critical infrastructure are relatively rare – particularly in the West – however when they do occur they can be devastating, at best causing widespread disruption, and at worse causing serious economic damage and even deaths.

Here the focus is to provide continuous protection, both in terms of detecting intrusions into critical infrastructure systems and taking steps to stop them.

“The point is to protect, to develop concepts to – if an intrusion is detected – protect infrastructure, first to do what's possible about protection, and then in case it is identified, to make countermeasures,” she explains. “Countermeasures would mean, for example if I see that I have a DDoS attack,” referring to a distributed denial of service attack, where a server is overwhelmed by a vast network of machines all trying to access it at once , “then I would redirect all the traffic to zero: to null.”

“The attacks are developing and the countermeasures are developing as well. It's always a race on critical infrastructure.”

However, the development of such countermeasures is a continuous arms race with hackers, with new attack types being developed as quickly as ways to counter them can be produced.

“The attacks are developing and the countermeasures are developing as well,” she says. “It's always a race on critical infrastructure.”

Sometimes, the advances aren’t even new, as changing technology can bring new capabilities to once-thwarted attack styles.

DDoS attacks are a prime example of this, having been a popular attack style in the past that was all but solved by the cybersecurity industry.

“In the research and also in the mitigation actually [researchers] said: ‘DDoS? Ah - old stuff, we solved this issue’,” says Dreo Rodosek.

However, with the rise of the Internet of Things (IoT), a huge array of poorly secured devices has become available, making it very easy for hackers to amass vast networks of bots to perform such attacks.

“Now with IoT there is a completely new structure here, because there are so many bots and the scalability is so big that DDoS is coming back.”

The researchers become the target

Cybersecurity research is immensely complex, with researchers facing an unseen and constantly moving target that makes success remarkably difficult. However, it can also be complicated by the fact that they themselves can become a target.

When CODE was announced last year, the research centre saw a six-fold increase in attacks on its systems within just a month, as hackers became more aware of its existence.

“We have in some honeypots, and we can of course get the attention of hackers to learn how the attack patterns are developing.”

However, attacks can also be a useful source of data, particularly as Dreo Rodosek and her colleagues have set up honeypots in their systems to monitor how attack styles continue to change.

“There's always development, and we have in part of the university network some honeypots, and we can of course get the attention of hackers to learn from them how the attack patterns are developing,” she says. “[These honeypots appear to hackers to be] very important servers with important information. So they work as a trap for the attacker.”

With attack styles forever changing, cybersecurity research will never be done, but as threats increase, so too will institutions such as CODE.